While single sign-on technology has been recognized as a worthy goal in insurance technology circles for several years now, a quick scan of the industry still yields little evidence of centralized depositories for user IDs and log-ons that consolidate the number of passwords that an employee, business partner or customer needs to access a carrier's systems.
"It's been a big topic for a number of years, and I think it's a utopia that hasn't been reached yet in many instances," according to Mike Barba, manager, business consulting, at SMART Business Advisory and Consulting, a Devon, Pa.-based firm with expertise in areas including enterprise risk management, regulatory accounting and claims management. "A lot of people will claim they have single sign-on, when in reality they do have local databases of users that they still need to manage," he adds.
In many ways, single sign-on (SSO) does represent a sort of utopia. Its benefits are far-reaching. From a security standpoint, SSO can eliminate the all-too-common "sticky note" approach to identity management that has been adopted by many employees who -- overwhelmed by the number of different log-on IDs and passwords they need to access applications -- have taken to writing their passwords down and storing (nay, displaying) the information in plain sight at their workstations. SSO implementations also can lead directly to ease-of-use improvements for customers, employees and producers by reducing the number of password gateways needed to navigate a Web site or application, without sacrificing security. >>
Thus far, the insurance industry has indeed struggled to implement this technology -- and thus realize its benefits -- in part because many of the applications and systems within insurers' technology environments are not ready for SSO. "A lot of the problems stem from the fact that a lot of applications aren't written to use standards-based authentication protocols or standard systems where identities are managed," Barba explains.
Too often, vendor-developed insurance applications have been created without any of the authentication standards needed for SSO, Barba says. Many third-party vendors traditionally have programmed only with functionality in mind. The idea of a standards-based approach to identity management -- such as through Lightweight Directory Access Protocol (LDAP), a standard created at the University of Michigan and further developed by the Internet Engineering Task Force -- has been an afterthought.
"It really comes down to the applications [insurers] choose to use and how they are implemented," Barba explains. "If companies have a lot of third-party applications, they're stuck at the hands of the developers of the third party as to whether or not they're going to be able to integrate the application into their single sign-on environment."